From: sashiko-bot@kernel.org
To: "Holger Dengler" <dengler@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, "Vasily Gorbik" <gor@linux.ibm.com>,
"Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v1 1/1] pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
Date: Fri, 19 Jun 2026 08:00:10 +0000 [thread overview]
Message-ID: <20260619080011.4E1A71F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260619074541.1710716-2-dengler@linux.ibm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] An integer wrap-around in the key bit-size calculation bypasses length validation, leading to massive out-of-bounds memory accesses during a subsequent memcpy().
--
commit 26c99ec1350980042dcf4518941f9831c98478fc
Author: Holger Dengler <dengler@linux.ibm.com>
pkey: Fix bitsize check in PKEY_VERIFYPROTK ioctl
This commit updates the bit-size calculation for protected keys in the
PKEY_VERIFYPROTK ioctl to account for the wrapping key verification pattern
(WKVP). It subtracts the length of the WKVP from the protected key length to
fix the calculation.
> diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
> --- a/drivers/s390/crypto/pkey_api.c
> +++ b/drivers/s390/crypto/pkey_api.c
> @@ -334,7 +334,8 @@ static int pkey_ioctl_verifyprotk(struct pkey_verifyprotk __user *uvp)
> if (copy_from_user(&kvp, uvp, sizeof(kvp)))
> return -EFAULT;
>
> - keytype = pkey_aes_bitsize_to_keytype(8 * kvp.protkey.len);
> + keytype = pkey_aes_bitsize_to_keytype(8 * (kvp.protkey.len -
> + AES_WK_VP_SIZE));
[Severity: Critical]
This is a pre-existing issue, but does this calculation allow an integer
wrap-around that bypasses length validation?
Because kvp.protkey.len is a user-controlled 32-bit unsigned integer and
there is no explicit bounds check against MAXPROTKEYSIZE, a malicious user
can provide an enormous length. For example, if kvp.protkey.len is
536870960 (0x20000030), subtracting AES_WK_VP_SIZE (32) yields 536870928.
Multiplying by 8 results in 4294967424 (0x100000080), which truncates to
128 in 32-bit arithmetic.
pkey_aes_bitsize_to_keytype(128) then returns PKEY_KEYTYPE_AES_128, passing
the !keytype check.
Further down in pkey_ioctl_verifyprotk(), the unvalidated oversized length
is passed into memcpy(t->protkey, kvp.protkey.protkey, kvp.protkey.len).
Since kvp.protkey.protkey is a 64-byte array on the kernel stack and t
points to an 80-byte heap allocation, wouldn't this cause catastrophic
out-of-bounds memory accesses?
> if (!keytype) {
> PKEY_DBF_ERR("%s unknown/unsupported protkey length %u\n",
> __func__, kvp.protkey.len);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260619074541.1710716-2-dengler@linux.ibm.com?part=1
next prev parent reply other threads:[~2026-06-19 8:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 7:45 [PATCH v1 0/1] pkey: Fix for PKEY_VERIFYPROTK ioctl Holger Dengler
2026-06-19 7:45 ` [PATCH v1 1/1] pkey: Fix bitsize check in " Holger Dengler
2026-06-19 8:00 ` sashiko-bot [this message]
2026-06-19 8:02 ` Holger Dengler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619080011.4E1A71F00A3D@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=dengler@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox